Leveraging the payments community to make subscriptions unstoppable
Disclaimer: This article should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification. It’s mostly relevant for companies processing less than 6 million transactions.
As the population increases, so does the amount of data that’s processed every single day. In the last few years alone, over 90% of the data in the world was generated. It’s a fascinating prospect, and it’s only going to increase.
According to PCI SSC, the average total cost of a data breach is $3.8 Million. And as a growing business, you need to know how to cope with it to set yourself up for success. It’s hard to stay on top of, as you want to be focusing on growing your business rather than worrying about data breaches.
The poor handling of payment card details in particular can have serious implications. If your business isn’t trusted, then you won’t be successful. It’s obvious, and you only need to take a few steps to keep cardholder data secure and be PCI compliant.
In this article, we’ll explore what we’ve learned over the years on how a growing business like yours can take data security seriously. And we’ll outline the steps you can take to build a sustainable business that’s successful now, and over time.
What do you need to do?
To become compliant, you will have to implement the requirements that are applicable to your business set forward by PCI DSS. And also fill in a form or two. Below we’ll highlight the most common form called a ‘Self-Assessment Questionnaire A’ or ‘SAQ A’. The SAQ A is intended as a tool to help you assess which requirements you need to implement.
To help with your understanding, its fundamentals consist of three security best practices you need to know and take action on.
How can we help you and your business?
To protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks, the PCI SSC has implemented certain technical and operational requirements. These requirements apply to every company that collects, processes, stores, or transmits cardholder data. These are called PCI DSS, short for Payment Card Industry Data Security Standards.
Every business accepting credit card payments has to comply with PCI DSS. And even though PCI DSS is not part of any law, the standard is applied around the world.
Every business has to make sure they are compliant every year with PCI DSS by completing one of the official PCI SSC validation documents. And there are some pretty significant penalties and costs for organizations that don’t comply with the requirements.
Being PCI compliant minimizes the chances of a data breach resulting from malicious attacks. It doesn't completely eliminate the chance of a compromise. However, the card brands may significantly lower or eliminate PCI fines if the company in question has taken all the necessary steps to be PCI DSS compliant.
1. Map the flow of cardholder data
Create an accurate data flow diagram to map the movement of cardholder data. This includes any applications, systems and people who work with credit card data, including Service Providers. This is usually done with the assistance of IT staff.
2. Scope your environment
3. Make an assessment
Assess your current level of PCI compliance according to an SAQ A. The person completing the assessment should have sufficient knowledge to be able to assess the environment.
4. Make any necessary changes
You may realize your business falls short of at least one criterion. If this is the case, take time to make any necessary security improvements to your business.
5. Fill out the Self-Assessment Questionnaire (SAQ) A
This form should be completed and signed by a professional qualified to sign off on security related matters. This might be your Chief Security Officer or Chief Technology Officer.
6. Submit documents to Adyen
Once you’ve completed your forms, you can submit them to us.
7. Setup regular monitoring
Make sure you monitor compliance on an ongoing basis throughout the year, as PCI DSS is not a single event, but a continuous, ongoing process.
If an attacker gains unauthorized access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the Drop-in or Components, or drop an IFrame over the already existing IFrame. In these scenarios, the payment may still be completed, but a copy of the cardholder data is sent to the attacker.
The risks associated with this integration can be significantly reduced by implementing the requirements as outlined in the SAQ A.
It may seem a little overwhelming at first, but the steps you have to complete aren’t that complicated. One of the final steps is to complete a self-assessment questionnaire. It’s good to fill this in as soon as you can as your payments provider can’t do it for you.
We require different documents, depending on integration. If you’re an Adyen customer, you can find out more about these by going to our documentation page. There you’ll find a full breakdown of the forms that you’ll need to complete during your integration. If you process less than 6 million transactions per acquiring region per year, you are eligible to complete an SAQ.
With many things on your list to do whilst growing your business, data security can sometimes take a back seat. Being compliant isn't as hard as you may have thought. We offer a variety of encryption solutions along with our secure, PCI Compliant platform.
This way you never see and never have access to unencrypted cardholder data. It’s less work for you to comply with PCI DSS, and you’re less likely to be exposed to a cardholder data environment.
We’re now waiting to hear more from the next version of PCI (version 4), which will be released later this year. As always, we’re ahead of every change and update to compliance standards around the world. And we work closely with all parties involved to keep you, us, and the world a more secure payments space.
About the author: Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.